The fast-xml-parser library by NaturalIntelligence is a popular JavaScript tool for validating, parsing, and building XML without relying on native C/C++ libraries or callbacks. Versions 4.3.6 through 5.3.3 contain a vulnerability (CVE-2026-25128) stemming from improper input validation (CWE-20) during numeric entity processing. Specifically, when the parser encounters numeric XML entities with code points outside the valid Unicode range (e.g., � or �), it triggers a RangeError exception that is not caught within the library. This uncaught exception causes the entire application using the parser to crash, resulting in a denial of service (DoS) condition. The vulnerability does not expose sensitive data or allow code execution but disrupts service availability. The CVSS v3.1 score is 7.5 (high), reflecting network attack vector, no privileges or user interaction required, and high impact on availability. No known exploits are currently reported in the wild. The issue was publicly disclosed on January 30, 2026, and fixed in version 5.3.4 of fast-xml-parser. Organizations relying on this library for XML processing, especially those handling untrusted XML input, are at risk of service disruption if they use affected versions.

For European organizations, the primary impact is denial of service due to application crashes when processing maliciously crafted XML input containing out-of-range numeric entities. This can affect web services, APIs, or backend systems that parse XML data using fast-xml-parser, leading to downtime, degraded service availability, and potential operational disruption. Although confidentiality and integrity are not directly compromised, the availability impact can affect business continuity, customer trust, and compliance with service-level agreements. Industries relying heavily on XML for data interchange, such as finance, telecommunications, and government services, may experience significant operational risks. Additionally, automated systems that consume XML feeds could be disrupted, causing cascading failures. The lack of required authentication or user interaction for exploitation increases the risk surface, especially for externally facing services.

1. Upgrade fast-xml-parser to version 5.3.4 or later immediately to apply the official fix. 2. Implement strict input validation and sanitization on all XML inputs before parsing, rejecting or sanitizing numeric entities outside valid Unicode ranges. 3. Employ runtime exception handling around XML parsing calls to gracefully handle unexpected errors and prevent application crashes. 4. Use application-layer firewalls or XML gateways to detect and block malformed XML payloads containing suspicious numeric entities. 5. Monitor application logs for frequent parser exceptions or crashes indicative of exploitation attempts. 6. Conduct security testing and fuzzing on XML processing components to identify similar input validation weaknesses. 7. Educate developers on secure XML parsing practices and the risks of untrusted input. 8. For critical systems, consider implementing redundancy and failover mechanisms to maintain availability during attacks.